ubuntu-appstore-developers team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 06/12/2013 02:11 PM, Marc Deslauriers wrote:
> On 13-06-05 11:39 AM, Loïc Minier wrote:
> <snip>
> 
>> Concerning the signed package approach, here are a couple of
>> implementations that would make it possible to sign the manifest and all
>> the package contents:
>> a. dpkg-sig[2]; I believe this generates an index called "digests" of the
>>    components of the ar file with corresponding SHA1 and MD5 hashes,
>>    then adds a GPG signature of that file as digests.asc to the
>>    archive
>>
>> b. GPG signing the .deb directly
>>
> 
> I took a quick look at dpkg-sig. Embedding a signature in the .deb by
> adding an extra file is novel.
> 
> dpkg-sig itself only handles SHA1 and MD5 though, which we would need to
> update to something better, and it seems to be unmaintained.
> 
> I think we should probably add this functionality directly to our click
> packages generation tool, possibly using the same approach as dpkg-sig,
> but with a better hashing algorithm, such as SHA512.
> 

To be clear, in scenario 'a', the developer uploads a deb to the
appstore server with an embedded signed digest file that the server can
verify on upload as signed by the developer. At some later point, the
appstore server creates a signed hash of the deb such that in secure
mode the user's client device when installing the software will download
the signed hash and the deb and verify the appstore signature on the
hash and compare the hash to the downloaded deb. Is this correct?

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature